Re: Getting point-and-click working

[David Wright]

On Sun 10 Feb 2019 at 13:43:16 (+0000), David Sumbler wrote:
> Thank you all for your help in this matter.
> 
> Today I have point-and-click working as it should, with AppArmor
> apparently doing what it is supposed to do.

Great.

While reading the following, bear in mind that I run Debian, and
apparmor itself is not installed here. My interest is mainly
concerned with futureproofing. (I think buster is already in
one of its frozen stages on its way to release. Who knows if
apparmor is installed by default.)

> What made the difference was the following:
> 
> The Usage Manual 4.1.1 says that the lines
>       # For Textedit links
>       /usr/local/bin/lilypond-invoke-editor Cx -> sanitized_helper,
> should be added to the file /etc/apparmor.d/local/usr.bin.evince . 
> This file did not exist, although there are several other files in that
> directory, so I had created the file and put just the two lines above
> in it.  Unfortunately, as I reported, point-and-click didn't work for
> me.

Debian stretch creates /etc/apparmor.d/local/usr.bin.evince during
post-installation. It's just a placeholder with a comment referring
to /etc/apparmor.d/local/README which is actually in the apparmor
package (that I had to download):

# This directory is intended to contain profile additions and overrides for
# inclusion by distributed profiles to aid in packaging AppArmor for
# distributions.
#
# The shipped profiles in /etc/apparmor.d can still be modified by an
# administrator and people should modify the shipped profile when making
# large policy changes, rather than trying to make those adjustments here.
#
# For simple access additions or the occasional deny override, adjusting them
# here can prevent the package manager of the distribution from interfering
# with local modifications. As always, new policy should be reviewed to ensure
# it is appropriate for your site.
#
# For example, if the shipped /etc/apparmor.d/usr.sbin.smbd profile has:
#   #include <local/usr.sbin.smbd>
#
# then an administrator can adjust /etc/apparmor.d/local/usr.sbin.smbd to
# contain any additional paths to be allowed, such as:
#
#   /var/exports/** lrwk,
#
# Keep in mind that 'deny' rules are evaluated after allow rules, so you won't
# be able to allow access to files that are explicitly denied by the shipped
# profile using this mechanism.

In fact, /etc/apparmor.d/usr.bin.evince doesn't contain a reference to
the local file, but several   #include <abstractions/evince>   where
is found

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.evince>

There's a lot of ubuntu stuff in these files, so I'm not sure why
the necessary files didn't get created, but in what you outline below,
you've taken what they call the "large policy change" approach above.

> With the difficulties I was having, yesterday I disabled AppArmor for
> Evince by adding a soft link to /etc/apparmor.d/usr.bin.evince in
> /etc/apparmor.d/disable/ .  This is what made point-and-click work
> eventually for me yesterday.
> 
> However, following your latest emails to the list on the topic, today I
> thought I would have another go.  I deleted the disabling link, and ran
> 'sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince'
>  again.  I also ran
> 'sudo apparmor_parser -r -T -W /etc/apparmor.d/local/usr.bin.evince'. 
> I don't know whether that needed to be done or not, but I found that it
> throws out a syntax error.

The main file contains several   path-to-foo { … }   structures which
the local file gets inserted into. The parser's not going to know what
to do with something like   bar,   being fed to it.
(I see it also seems to understand   FOO="bar"   syntax.)

> So I copied the lines out of the second file and inserted them into the
> main usr.bin.evince file.

Presumably within the   /usr/bin/evince { … }   section.

> I then deleted
> /etc/apparmor.d/local/usr.bin.evince .
> 
> After I ran 
> 'sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince'once more, I 
> found that point-and-click works as it should.

> I don't pretend to understand what is going on here, but in summary it 
> appears that if the additional lines are added to 
> /etc/apparmor.d/usr.bin.evince rather than to 
> /etc/apparmor.d/local/usr.bin.evince it all works.

I guess someone needs to disect the current ubuntu files to figure out
a preferred method, if fiddling with /etc/apparmor.d/usr.bin.evince
can be avoided.

> I should add that, in addition to the above, I have corrected the
> ownership of ~/.local/share/applications/mimeapps.list.  (I don't know
> how this came to be owned by root: I have looked at my bash history,
> and I certainly had not run
> 'xdg-mime default lilypond-invoke-editor.desktop x-scheme-handler/textedit'
> with sudo.)

My first step would be to look at the modification timestamp on the
file, then check /var/log/auth around that time.
But forensics at a distance is no fun.

> The point-and-click facility will be very useful to me now that I have
> got to the point of correcting and tweaking a 150-page score and its
> associated parts.  But without your helpful suggestions, I would never
> have got it working, so thanks again.

Thanks for setting the problem. It's made me look at an area that
others elsewhere often have problems with, so it's been a useful
learning experience about the mechanics. Now to understand exactly
what "Cx ->" means… (And zathura still doesn't work for me.)

Cheers,
David.